Configure User-ID Redistribution
Before you configure User-ID redistribution:
- Plan the redistribution architecture. Some factors to consider are:
- Which firewalls will enforce policies for all users and which firewalls will enforce region- or function-specific policies for a subset of users?
- How many hops does the redistribution sequence require to aggregate all User-ID information? The maximum allowed number of hops is ten.
- How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
Perform the following steps on the firewalls in the User-ID redistribution sequence.
- Configure the firewall to redistribute User-ID information.Skip this step if the firewall receives but does not redistribute User-ID information.
- Select.DeviceUser IdentificationUser Mapping
- (Firewalls with multiple virtual systems only) Select theLocation. You must configure the User-ID settings for each virtual system.You can redistribute information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
- Edit the Palo Alto Networks User-ID Agent Setup and selectRedistribution.
- Enter aCollector NameandPre-Shared Keyto identify this firewall or virtual system as a User-ID agent.
- ClickOKto save your changes.
- Configure the service route that the firewall uses to query other firewalls for User-ID information.Skip this step if the firewall receives user mapping information from Windows-based User-ID agents or directly from the information sources (such as directory servers) instead of from other firewalls.
- (Firewalls with multiple virtual systems only) SelectGlobal(for a firewall-wide service route) orVirtual Systems(for a virtual system-specific service route), and then configure the service route.
- ClickService Route Configuration, selectCustomize, and selectIPv4orIPv6based on your network protocols. Configure the service route for both protocols if your network uses both.
- SelectUID Agentand then select theSource InterfaceandSource Address.
- ClickOKtwice to save the service route.
- Enable the firewall to respond when other firewalls query it for User-ID information.Skip this step if the firewall receives but does not redistribute User-ID information.Configure an Interface Management Profile with theUser-IDservice enabled and assign the profile to a firewall interface.
- Commit and verify your changes.
- Commityour changes to activate them.
- Access the CLI of a firewall that redistributes User-ID information.
- Display all the user mappings by running the following command:>show user ip-user-mapping all
- Record the IP address associated with any username.
- Access the CLI of a firewall that receives redistributed User-ID information.
- Display the mapping information and authentication timestamp for the<ip_address>you recorded:>show user ip-user-mapping<ip_address>IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)